Over the past few weeks, cybercriminals have been persistently spamvertising ‘Inter-company invoice’ themed emails, in an attempt to trick users into viewing the malicious .html attachment, or unpack and execute the malicious binary found in the attached archives. Upon clicking on the link, users are exposed to the client-side exploits served by the latest version of the Black Hole Exploit Kit.

The second sample obtained from yet another spamvertised archive with MD5: 3a8ce3d72b60b105783d74dbc65c37a6 – is detected by 37 out of 44 antivirus scanners as Worm:Win32/Cridex.E. Upon execution it phones back to the following URL: 188.40.0.138:8080/AJtw/UCyqrDAA/Ud+asDAA (AS24940, HETZNER-AS).